Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Noob q: why can't endpoints ping6 google, nor go further than a close-in outside router?

    Scheduled Pinned Locked Moved IPv6
    14 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MrPeteM
      MrPete @JKnott
      last edited by MrPete

      @jknott Thanks for your help!

      IMPORTANT: the original Q may have been a red herring. Not this endpoint link-local, and that endpoint did NOT obtain a global addr, so all bets off.

      However, I have the same bottom line issue: endpoints can't reach the internet.

      As noted, I'm using an HE tunnel; I have a /48 block, and do have v6 address.

      Everything works fine from pfSense (I can ping6, traceroute6, etc)

      From endpoints, wired or wireless, no.

      • Can't ping -6 google
      • Can't ping -6 the global address of subnet gateway
      • If ping -6 the link-local of subnet gate, the first ping gets destination unreachable, then it works
      • if ping -6 the near end address of the HE tunnel, it works (....::1)
      • if ping -6 the far end addr of HE tunnel, it fails (....::2)
      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @MrPete
        last edited by johnpoz

        @mrpete so what exactly did you setup?

        If you are using a /48 from HE, you would of setup the /64 given in the tunnel details, then another you would pick a /64 out of your /48 for your lan..

        That you have to setup... Its more than just setting up the tunnel.

        https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html

        if ping -6 the far end addr of HE tunnel, it fails (....::2)

        Did you setup the gateway in routing?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        MrPeteM 2 Replies Last reply Reply Quote 0
        • MrPeteM
          MrPete @johnpoz
          last edited by MrPete

          @johnpoz yep. followed all instructions.

          Gateway is up, passing data.

          gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
          description: WANv6_tun
          options=80000<LINKSTATE>
          tunnel inet 207.xxx.211 --> 184.xxx.46
          inet6 2001:xxx:3c7::2 --> 2001:xxx:3c7::1 prefixlen 128
          inet6 fe80::...:fd55%gif0 prefixlen 64 scopeid 0x10
          groups: gif
          nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

          And it works100% from inside pfsense.

          For testing, I've installed firewall rules allowing ALL ipv6 from WAN, and ALL from all LAN interfaces (I have several VLANs)

          I do have CARP. Perhaps there are tricks there. But since it works from pfSense, seems that ought not be an issue.

          I thought perhaps my wifi (unifi)... but same with wired.

          I'm trunking all LAN through a Netgear GSS108e -- they claim it does ipv6 pass through. No smart switch commands to show me its tables unfortunately...

          1 Reply Last reply Reply Quote 0
          • MrPeteM
            MrPete @johnpoz
            last edited by

            @johnpoz
            Note that the failures only exist from endpoints.

            From pfSense I can ping6 both ends of the tunnel, as well as the outside world...

            GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
            • GertjanG
              Gertjan @MrPete
              last edited by Gertjan

              @mrpete

              You do pass IPv6 traffic on LAN :

              deb0107f-06ec-4038-89c3-50aacfa32c6b-image.png

              No rules are needed on WAN.

              I'm using the DHCPv6 server,

              My he.net settings :

              4b99e251-f60b-4d06-8223-d04981009a56-image.png

              This is my LAN IPv6 setup - note that it's using the single /64 from from he.net, not a /64 block from the the /48 :

              b6718902-3d6c-4e78-804f-25dd4df7004d-image.png

              The DHCPv6 server setup with pool :

              01d8bba7-0a7a-41e2-afe5-2c3bb3f624e2-image.png

              and

              eaa51d50-6c0b-4336-b75d-a4bfb8e55b55-image.png

              Now you should see "DHCP" IPv6 traffic in the DHCP logs.

              I also set up a of of static DHCPv6 assignments so my devices have 'static' IPv6 every where, without assigning anything on the LAN devices.
              Have the device connect ones, it will get an IPv6 from the pool. With the DUID obtained, you can assign it an IPv6 outside of the pool. This is of course optional.
              Some LAN devices need to be made DHCPv6 aware. Windows PC's : activate IPv6 protocol if it wasn't already activated, and done.

              edit : The DHCPv6 server probably doesn't work with Android Phone devices, I can't tell, I do not have one of them. Apple stuff works out of the box, the have their Ipv6 and use it.
              Same for Microsoft products.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @MrPete
                last edited by

                @mrpete said in Noob q: why can't endpoints ping6 google, nor go further than a close-in outside router?:

                From pfSense I can ping6 both ends of the tunnel,

                Which says nothing about your lan /64 you assigned, or the firewall rules might not have setup. Or that your end point actually got an IPv6 out of your /64 you setup, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                MrPeteM 1 Reply Last reply Reply Quote 0
                • MrPeteM
                  MrPete @johnpoz
                  last edited by

                  @johnpoz said:

                  Which says nothing about your lan /64 you assigned, or the firewall rules might not have setup. Or that your end point actually got an IPv6 out of your /64 you setup, etc.

                  Thanks heaps for sticking with me on this.

                  I have a more complex setup than yours: multiple VLANs, a bunch of Unifi AP's, and CARP. For now I'm ignoring CARP (hopefully doesn't matter) and Unifi (may want to do its own DHCPv6 via PD.)

                  So, I am using the /48 since I can't pass on /64's without it.

                  Other than that, quite similar setups:

                  From HE: 2001:470:432a::/48

                  Here's my firewall rule in my "All_Internal" group:
                  3d0e364e-f77b-421e-98ff-4633b7d06606-image.png

                  And here's my main VLAN that I'm working on...

                  A static IPv6 block (similar to v4 subnet number to keep me sane ;) )
                  067be7d3-e599-42ad-9e1f-8ddac8e18b3d-image.png

                  And DHCPv6...
                  11c789c8-5301-47c9-8063-976f810984c7-image.png
                  I'm using "Assisted" RA because we do have Android and other devices that don't like DHCPv6

                  I too have a bunch of static DHCPv6 assignments.**

                  Endpoints do get IP's.
                  e052f2c8-70f4-42b8-8674-4eba07b794a6-image.png
                  Interestingly the wired Win10 endpoints get immediate result from "ipconfig /renew6" but on wifi it often takes a minute or longer. Sometimes immediate. No idea why at this point.

                  Huh. Just had a thought: do I need to open explicit firewall holes, in pfSense and/or endpoints, for fe80* 2001* etc???

                  That seems crazy, but bugs abound.

                  (**Side issue, HPDL: For now I've avoided touching my main email server. The Web/VirtualMin environment does NOT want to grab IP from DHCP but have it manually assigned, and I've not worked out how to extract a DUID from the underlying Debian setup. And anyway, can't break email so ipv6 is fully disabled there for now ;) )

                  HPDL: Hard Part, Do Later

                  GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @MrPete
                    last edited by Gertjan

                    @mrpete said in Noob q: why can't endpoints ping6 google, nor go further than a close-in outside router?:

                    and I've not worked out how to extract a DUID from the underlying Debian setup

                    Thats why you activate the DHCPv6 client on a device.
                    Have it grab an IPv6 from the pool.
                    You see the lease, you have the dude.
                    Now you can make a static lease.

                    @mrpete said in Noob q: why can't endpoints ping6 google, nor go further than a close-in outside router?:

                    in pfSense and/or endpoints, for fe80* 2001* etc???

                    Hummm.
                    jimp said ones, way back, that I should add these rules :

                    f98eb677-97ad-480d-a8db-2a50d6076826-image.png

                    The last one is mine. You saw it already.
                    The 3 above (two of them are not used) are added later, dono if they are really needed, as the last one pass all IPv6 traffic (IMHO).

                    These are all my LAN rules.
                    Don't like to block myself.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @MrPete
                      last edited by

                      @mrpete tell you right now this is wrong!

                      wrong.jpg

                      You would not set anything other than /64 here.. Only time you really wouldn't be using /64 in IPv6 is when your doing prefix delegation, or in a firewall rule cidr, etc. or like a p2p link with say a /128

                      If your actually going to assign an interface an IPv6 address - promise you the prefix is going to be /64 or your asking for issues! And you sure wouldn't be handing anything other than /64 with your dhcpd..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      MrPeteM 1 Reply Last reply Reply Quote 0
                      • MrPeteM
                        MrPete @johnpoz
                        last edited by

                        @johnpoz
                        Actually, /56 is just fine... I am (planning to) do prefix delegation etc.

                        GOOD NEWS!!! I found the issue. It was hiding in material on this thread all along.

                        I decided to go back to basics, and reviewed some material other people have out there.

                        Here's a key step NOT in the pfSense Tunnel instructions:

                        • Once you have an IPv6 address on your LAN interface, test it, and your end of the tunnel, from HE: User Functions-> IPv6 Portscan
                          d7fdf8e7-86e9-416c-9b22-649721cbbb63-image.png
                        • This will verify that HE can reach you, and that you have no firewall issues.

                        In my case, when I pasted the IPv6 of my .1 VLAN in, HE noticed a little issue 🙄

                        • My /48 is 2001:470:432a::/48
                        • My LAN was 2001:450:432a:0100::1

                        Picky picky picky, only off by one character LOL

                        Fixed that (and all of this implications in my DHCPv6 etc) and pretty much everything is working!

                        Debriefing:

                        • Everything worked from pfSense because it doesn't actually use any of my IP's. It uses the near end of the tunnel.
                        • Note too: I also had to solve the MTU default issue (bug?)... no idea why pfSense defaults to 1280 for my tunnel?!!!
                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @MrPete
                          last edited by

                          @mrpete said in Noob q: why can't endpoints ping6 google, nor go further than a close-in outside router?:

                          Actually, /56 is just fine... I am (planning to) do prefix delegation etc.

                          I don't think so. Your interface should have a /64 on it... What you delegate would be under the delegation pool range.

                          Your downstream device for example would grab an IP out of the /64 range, and then request a delegation for networks for it to use and hand out behind it.. Its wan would have an IP out of the /64, and it would get a say a /56 that it would use for delegation for stuff behind it.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          MrPeteM 1 Reply Last reply Reply Quote 0
                          • MrPeteM
                            MrPete @johnpoz
                            last edited by

                            @johnpoz said...

                            I don't think so. Your interface should have a /64 on it... What you delegate would be under the delegation pool range.

                            Your downstream device for example would grab an IP out of the /64 range, and then request a delegation for networks for it to use and hand out behind it.. Its wan would have an IP out of the /64, and it would get a say a /56 that it would use for delegation for stuff behind it.

                            Meaning, what it delegates would not overlap with what it has itself... which is not allowed.

                            Try it for yourself; I just did:

                            • Whatever the size you provide to the interface...

                            • Is the TOTAL range available to that interface, including all delegated ranges.

                            • If /64, then only /64 or smaller is available for any use under that interface.

                            By using /56:

                            • I can set a /64 range for DHCPv6 of the interface
                            • AND I can allocate a lot of space for delegation (say, /60)

                            In practical terms...
                            if /48 is aaaa:bbbb:cccc::
                            and /56 for an interface is aaaa:bbbb:cccc:9900::

                            Then for that ifce DHCPv6, it has ...9900 through ...99ff available.

                            • So I can use ...9900 for my own /64 dhcp
                            • and ...9910-991f would be a nice /60 delegation
                            • etc.

                            (BTW, I've learned to allocate from the left in a quad (abcd)... because :1: means :0001: not :1000: ... that took me a few moments to realize!)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.